In a post entitled Applying Security Standards Like ISO 27002 to Compliance Requirements, Mark Tordoff comments on an article by Richard Mackey in SearchSecurity. The gist of both articles is that using a broad standard like ISO 27002 is a sensible approach to security. Further, combining the controls in ISO with the highly specific requirements of PCI DSS 1.1 can help those organizations subject to PCI to achieve compliance.
Absolutely no argument with any of this, but it leads to a broader discussion of how best to relate the controls found in standards like ISO and PCI, and to determine which controls allow an organization to comply with various requirements in regulations. Mapping of specific, discrete, measurable controls to higher level compliance requirements is still more art than science. It is highly subjective, and it requires a unique depth of understanding of many aspects of IT security, and of the relevant compliance requirements. Then extend the challenge to determining how best to test our actual compliance status. In some cases, there may be “machine data” that can determine whether we’re in compliance, based upon the presence or absence of a given control. Frequently however we will have to develop an assessment question to ask a human being about the control status.
The whole area of mapping regulations, requirements, controls, and assessment questions is a big, big challenge for most organizations. There is some very interesting work being done by a number of vendor organizations in this area, but we are a long way from reaching nirvana in the area of creating relationships between these entities that are useful and easily changeable.
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
